-
Bug
-
Resolution: Unresolved
-
Critical
-
None
Using Authorize Project plugin I have setting we have "Project Default build Authorization" set to "Run as User who Triggered Build".
Then I have project roles letting particular users to run specific jobs. To allow said people to also build on the nodes I assign to them Slave role (see assign_roles.png). That Slave role is allowed to build on ".*" nodes (see manage_roles.png). But still when project is triggered from such a user, in the queue a message can be seen:
> 'myusername' lacks permission to run on 'my-node-name-1'
My workaround is to allow global Agent/Build permission to everybody but this is not ideal.
Jenkins 2.190.3
Authorize Project 1.3.0
Role-based Authorization Strategy 2.13
- is related to
-
-
- Open
-
[JENKINS-61902] "authenticated" group doesn't work with Authorize Project plugin
Markus Winter
added a comment - That was most likely a bug in Role-Strategy plugin that was fixed last year.
Markus Winter
added a comment - That was most likely a bug in Role-Strategy plugin that was fixed last year. 
Groups that a user is assigned depends on the security realm you use.
I suppose the security realm you use doesn't assign "authenticated" group to the user when authorize-project queries the user.
I could not reproduce the issue with built-in "Jenkins’ own user database" as it always assigns "authenticated" group to the user.
I don't think it's a bug of the security realm as the query by the authorize-project plugin is independent from user's login process. The security realm can't say to authorized-project plugin whether the user is authenticated.
I suppose "authenticated" group is always assigned for Web UI operations as Jenkins knows the user is actually authenticated.
I won't fix this issue as managing actual permissions is out of the domain of authorize-project and managing permissions carelessly can easily cause security issues.
Please instead create a new group for all Jenkins users and assign the role to that group.